The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

Dr. Web's chief executive Boris Sharov, who says Apple never responded when the firm shared its findings on the Flashback botnet.

Updated with more details of Apple's response below.

Until it was revealed last week that more than half a million Macs were infected with Flashback malware, Apple had little experience working with the community of security researchers who aim to dissect and shut down botnets. And according to the firm that discovered this new outbreak, it could use a lesson in teamwork.

Boris Sharov, chief executive of the Moscow-based security firm Dr. Web says he learned Monday from the Russian Web registrar Reggi.ru that Apple had requested the registrar shut down one of its domains, which Apple said was being used as a "command and control" server for the hundreds of thousands of PCs infected with Flashback. In fact, that domain was one of three that Dr. Web has been using as a spoofed command and control server--what researchers call a "sinkhole"--to monitor the collection of hijacked machines and try to understand their behavior, the technique which allowed the firm to first report the size of Apple's botnet last week.

"They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we weren’t the ones controlling it and not doing any harm to users," says Sharov. "This seems to mean that Apple is not considering our work as a help. It’s just annoying them."

Sharov believes that Apple's attempt to shut down its monitoring server was an honest mistake. But it's a symptom of the company's typically tight-lipped attitude. In fact, Sharov says that since Dr. Web first contacted Apple to share its findings about the unprecedented Mac-based botnet, it hasn't received a response. "We've given them all the data we have," he says. "We've heard nothing from them until this."

I've contacted Apple for comment, but haven't yet heard back from the company either.

In Apple's defense, it may not have recognized Dr. Web as a credible security firm when the company contacted Apple earlier this month--I hadn't heard of the firm either until its discovery and analysis of the Flashback botnet. But the better-known security firm Kaspersky confirmed Dr. Web's findings on Friday. A Kaspersky representative said it hadn't contacted Apple with its findings and hadn't had any direct communication with Apple, and Kaspersky researcher Kurt Baumgartner wrote in a statement that "from what we’ve seen, Apple is taking appropriate action by working with the larger internet security community to shut down the Flashfake [also known as Flashback] C2 domains. Apple works vigorously to protect its brand and wants to rectify this." Kaspersky wouldn't offer more details on how Apple is working with the security community.

Update: Apple now says it will release a Flashback removal tool and is "working with ISPs worldwide" to disable the botnet's command and control servers.

Locating and shutting down command and control servers is typical practice for a company trying to behead and cripple a botnet targeting its computers. Sharov says that Dr. Web has worked with Microsoft several times in the past on those efforts. But Apple, which has never dealt with a botnet the size of the Flashback infection, has fewer ties to firms like Dr. Web, Sharov says. "For Microsoft, we have all the security response team's addresses," he says. "We don't know the antivirus group inside Apple."

Sharov, likeothers, criticizes Apple for its delay in issuing a patch for a security vulnerability in Java that the Flashback malware exploited to invisibly install itself on Macs when users visit infected web pages. The bug was patched by Oracle in February, but Apple didn't fix the flaw until earlier this month. "Their response should have been much earlier when they should have updated their Java," says Sharov. "Now calling registrars to shut down domains is not as important. The infection has already taken place. There are dozens of domains [controlling] the botnet. Shutting down one does nothing."

(Read about how to check your computer for Flashback and remove it here.)

Dr. Web and Kaspersky both estimate that more than 600,000 Macs are infected with Flashback, which would represent more than 1% of all of Apple's PCs. So far, the botnet is being used for click fraud rather than credit card theft. But its sheer size represents a shift in the cybercriminal underground, which has long ignored Macs to focus on Windows' larger market share.

Apple's less-than-diplomatic handling of Dr. Web's work wouldn't be the first time it's raised the hackles of the security research community. When well-known Apple researcher Charlie Miller created a proof-of-concept app demonstrating a flaw in Apple's security restrictions, the company responded by revoking his developer's license.

Sharov says he can understand Apple's brusque response to his researchers' work. "These are not pleasant days for them," he says. "They're not thinking about us. The safety of Macintosh computers is going down very quickly, and they’re thinking what to do next. They’re thinking about how to manage a future where the Mac is no longer safe."